CVE-2025-54254 Adobe Experience Manager | Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)

🗓️ 05 Aug 2025 16:53:39Reported by adobeType

Adobe Experience Manager 6.5.23 and earlier vulnerable to XXE allowing unauthorized file access.

Reporter	Title	Published	Views	Family All 18
GithubExploit	Exploit for Incorrect Authorization in Adobe Experience_Manager_Forms	10 Feb 202620:10	–	githubexploit
GithubExploit	Exploit for Incorrect Authorization in Adobe Experience_Manager_Forms	4 Nov 202509:29	–	githubexploit
Tenable Nessus	Adobe Experience Manager 6.0.0.0 < 6.5.24.0 Multiple Vulnerabilities (APSB25-82)	6 Aug 202500:00	–	nessus
BDU FSTEC	The vulnerability of the corporate platform for creating, managing, and processing electronic forms, documents, and business processes within Adobe Experience Manager (AEM) Forms on JEE lies in the incorrect restrictions on XML links to external objects. This allows attackers to read arbitrary files.	8 Aug 202500:00	–	bdu_fstec
Circl	CVE-2025-54254	6 Aug 202507:47	–	circl
CNNVD	Adobe Experience Manager 代码问题漏洞	5 Aug 202500:00	–	cnnvd
CNVD	Adobe Experience Manager XML Entity Injection Vulnerability (CNVD-2025-21172)	11 Aug 202500:00	–	cnvd
CVE	CVE-2025-54254	5 Aug 202516:53	–	cve
EUVD	EUVD-2025-23638	3 Oct 202520:07	–	euvd
NCSC	Vulnerabilities fixed in Adobe Experience Manager	17 Oct 202510:44	–	ncsc

[
  {
    "defaultStatus": "affected",
    "product": "Adobe Experience Manager",
    "vendor": "Adobe",
    "versions": [
      {
        "lessThanOrEqual": "6.5.23",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
helpx	www.helpx.adobe.com/security/products/aem-forms/apsb25-82.html

22 Aug 2025 16:33Current

CVSS 3.18.6

EPSS0.85527

CWE-611